Refactor authentication handling and improve API client security

- Updated OAuth endpoints for Challonge and Discord in platforms configuration. - Implemented session and CSRF cookie initialization in main application entry. - Enhanced Challonge API client to avoid sending sensitive API keys from the browser. - Modified tournament querying to handle new state definitions and improved error handling. - Updated UI components to reflect server-side storage of authentication tokens. - Improved user experience in API Key Manager and Authentication Hub with clearer messaging. - Refactored client credentials management to support asynchronous operations. - Adjusted API client tests to validate new request configurations. - Updated Vite configuration to support session and CSRF handling through proxies.
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
--- a/code/websites/pokedex.online/src/utilities/tournament-query.js
+++ b/code/websites/pokedex.online/src/utilities/tournament-query.js
@@ -39,17 +39,9 @@ export async function queryAllTournaments(client, options = {}) {
    communityId,
    page = 1,
    per_page = 25,
-    states = [
-      'pending',
-      'checking_in',
-      'checked_in',
-      'accepting_predictions',
-      'group_stages_underway',
-      'group_stages_finalized',
-      'underway',
-      'awaiting_review',
-      'complete'
-    ],
+    // Challonge v2.1 tournament list supports these canonical states.
+    // (Older v1-style states like "checking_in" are not accepted.)
+    states = ['pending', 'in_progress', 'ended'],
    includeCommunities = false
  } = options;

@@ -61,6 +53,8 @@ export async function queryAllTournaments(client, options = {}) {
    per_page
  };

+  let firstAuthError = null;
+
  // Query all states in parallel
  const promises = states.map(state =>
    client.tournaments
@@ -69,6 +63,10 @@ export async function queryAllTournaments(client, options = {}) {
        state
      })
      .catch(err => {
+        const status = err?.status || err?.errors?.[0]?.status;
+        if ((status === 401 || status === 403) && !firstAuthError) {
+          firstAuthError = err;
+        }
        console.error(`Error querying ${state} tournaments:`, err);
        return [];
      })
@@ -77,6 +75,16 @@ export async function queryAllTournaments(client, options = {}) {
  // Wait for all requests
  const results = await Promise.all(promises);

+  // If we hit an auth error and fetched nothing at all, surface the auth error
+  // so the UI can prompt to connect/reconnect Challonge.
+  const totalCount = results.reduce(
+    (sum, arr) => sum + (Array.isArray(arr) ? arr.length : 0),
+    0
+  );
+  if (firstAuthError && totalCount === 0) {
+    throw firstAuthError;
+  }
+
  // Flatten and deduplicate by tournament ID
  const tournamentMap = new Map();
  results.forEach(tournamentArray => {